Risk assessments are often underestimated for how much they can contribute to a business’s security posture as well as impacting other functions such as insurance. We talked to Anthony Stevens, CEO and Co-Founder of 6clicks. As someone who’s well acquainted with digital transformation and the author of Chasing Digital, Anthony moved into risk and compliance because he saw opportunity in an area that was still using dated products. There was no major dominant platform that existed in the marketplace, so he decided to start 6clicks in order to alleviate the process with a SaaS risk and compliance system. Read on to learn what risk assessments do for your security and how to get started.
1. Risk Moves Through a Network
Understanding how risk moves can ultimately help you understand how relevant a threat can be to your business. Risk assessments are thought of broadly in two ways: the first one is in relation to your own business and the second is supply chain risk. With regards to your own business there are global or local security standards that your business should comply with. These means undertaking a self assessment of your business and asking a series of questions to determine security maturity, and with that insight you manage those gaps. In terms of supply chain risk some of the companies you might be doing business with or that supply you with services will need to be considered as part of your business. Risk assessments conducted against people in your supply chain give you an understanding of how appropriate their controls are in managing data that belongs to you.
2. Identify the Scope Relevant to Your Business
Perhaps the most common oversight that jeopardises security is being unable to identify how broad and deep the scope is for your risk assessment. If you get the scope wrong or omit major areas of your business then you can be terribly exposed. “The first place that we suggest companies start is to understand their information assets.” You have to understand what you’re looking to protect. “For some businesses in financial services that’s information about customers and the money stored in bank accounts, in manufacturing it’s supply chain, in transport logistics its customers addresses or personal identifiable information.” When the asset has been identified you can then build a risk profile around it to understand who manages it, how it’s managed, and ultimately how it’s secured.
3. Stay Focused on the Controls
When it comes to cybersecurity many businesses understand the need for an information security management system, which is essentially a series of processes that help manage risks to their business. We know that the risks and threats to a lot of businesses continue and the time should be spent in managing and addressing those risks, not in the process itself. As it stands today the process mostly still takes place in spreadsheets or word documents, which is ultimately a very manual process. Now add the heavy policy documentation, and asset management amongst other things and you can see how arduous this process is. “A lot of the software out there is basically forms strung together with a workflow. They’re empty systems to begin with and they require companies to cut and paste stuff from other documents and put it into the system to get it up and running.” Digitising the whole lifecycle of this process can effectively lower the overhead costs and instead allow the focus to be placed on addressing the gaps with controls.
4. The Future of Assessing Cyber Risk
A lot of software solutions at the moment do use various predictive analytics, but there’s room to do more. “We think there’s a significant role for artificial intelligence in helping companies undertake risk assessments but also ensure compliance against multiple standards around the world.” The are the standard risk assessment frameworks such as ISO27001 or more complex ones such as NIST CSF, but there are also many other standards specific to various contexts. 6clicks maintains 12,000 provisions across a range of these standards on their platform. In terms of artificial intelligence capability they’re asking: “how do we bring automation to areas of compliance specifically helping companies identify similar provisions across different standards?” For example, if you’re compliant with ISO27001 you can quickly identify other standards that you may also be compliant with. Anthony also foresees the integration of news and current events into SaaS platforms like his to give people a sense of what’s happening in real time that could impact the risks they’ve identified for their business.
Ultimately, managing cyber risk and compliance and undertaking a self-assessment for your business can significantly move you into a more cyber secure state. The points above guide you to make sure that the full picture of your system is well understood. Look for platforms such as 6clicks that streamline the process of managing and assessing risk so that you can focus on managing the gaps and controls in your business.